Cloud Security Frame

Frames are a lens for looking at Cloud Security. The frame is simply a collection of Hot Spots. Each Hot Spot represents an actionable category for information. Using Hot Spots, you can quickly find pain and opportunities, or key decision points. It helps us
organize principles, patterns, and practices by relevancy. For example, in this case, we use the Cloud Security Frame to organize threats, attacks, vulnerabilities and countermeasures.

Hot Spots

Auditing and Logging

Authentication

Authorization

Communication

Configuration Management

Cryptography

Exception Management

Sensitive Data

Session Management

Validation

Frame

Hot Spot

Description

Auditing and Logging

Auditing and logging refers to how security-related events are recorded, monitored, and audited. Examples include: Who did what and when?

Authentication

Authentication is the process of proving identity, typically through credentials, such as a user name and password.

Authorization

Authorization is how your application provides access controls for roles, resources and operations.

Configuration management refers to how your application handles configuration and administration of your applications from a security perspective. Examples include: Who does your application run as? Which databases does it connect to? How is your application
administered? How are these settings secured?

Cryptography

Cryptography refers to how your application enforces confidentiality and integrity. Examples include: How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values
that must be cryptographically strong?

Exception Management

Exception management refers to how you handle applications errors and exceptions. Examples include: When your application fails, what does your application do? How much information do you reveal? Do you return friendly error information to end users? Do
you pass valuable exception information back to the caller? Does your application fail gracefully?

Sensitive Data

Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores. Examples include: How does your application handle sensitive data?

Session Management

A session refers to a series of related interactions between a user and your application. Examples include: How does your application handle and protect user sessions?

Validation

Validation refers to how your application filters, scrubs, or rejects input before additional processing, or how it sanitizes output. It's about constraining input through entry points and encoding output through exit points. Message validation refers
to how you verify the message payload against schema, as well as message size, content and character sets. Examples include: How do you know that the input your application receives is valid and safe? Do you trust data from sources such as databases and file
shares?